[mirror_ovs.git] / lib / daemon.xml

<?xml version="1.0" encoding="utf-8"?>
<dl>
  <dt><code>--pidfile</code>[<code>=</code><var>pidfile</var>]</dt>
  <dd>
    <p>
      Causes a file (by default, <code><var>program</var>.pid</code>) to be
      created indicating the PID of the running process.  If the
      <var>pidfile</var> argument is not specified, or if it does not begin
      with <code>/</code>, then it is created in <code>@RUNDIR@</code>.
    </p>

    <p>
      If <code>--pidfile</code> is not specified, no pidfile is created.
    </p>
  </dd>

  <dt><code>--overwrite-pidfile</code></dt>
  <dd>
    <p>
      By default, when <code>--pidfile</code> is specified and the specified
      pidfile already exists and is locked by a running process, the daemon
      refuses to start.  Specify <code>--overwrite-pidfile</code> to cause it
      to instead overwrite the pidfile.
    </p>

    <p>
      When <code>--pidfile</code> is not specified, this option has no effect.
    </p>
  </dd>

  <dt><code>--detach</code></dt>
  <dd>
    Runs this program as a background process.  The process forks, and in the
    child it starts a new session, closes the standard file descriptors (which
    has the side effect of disabling logging to the console), and changes its
    current directory to the root (unless <code>--no-chdir</code> is
    specified).  After the child completes its initialization, the parent
    exits.
  </dd>

  <dt><code>--monitor</code></dt>
  <dd>
    <p>
      Creates an additional process to monitor this program.  If it dies due to
      a signal that indicates a programming error (<code>SIGABRT</code>,
      <code>SIGALRM</code>, <code>SIGBUS</code>, <code>SIGFPE</code>,
      <code>SIGILL</code>, <code>SIGPIPE</code>, <code>SIGSEGV</code>,
      <code>SIGXCPU</code>, or <code>SIGXFSZ</code>) then the monitor process
      starts a new copy of it.  If the daemon dies or exits for another reason,
      the monitor process exits.
    </p>

    <p>
      This option is normally used with <code>--detach</code>, but it also
      functions without it.
    </p>
  </dd>

  <dt><code>--no-chdir</code></dt>
  <dd>
    <p>
      By default, when <code>--detach</code> is specified, the daemon changes
      its current working directory to the root directory after it detaches.
      Otherwise, invoking the daemon from a carelessly chosen directory would
      prevent the administrator from unmounting the file system that holds that
      directory.
    </p>

    <p>
      Specifying <code>--no-chdir</code> suppresses this behavior, preventing
      the daemon from changing its current working directory.  This may be
      useful for collecting core files, since it is common behavior to write
      core dumps into the current working directory and the root directory is
      not a good directory to use.
    </p>

    <p>
      This option has no effect when <code>--detach</code> is not specified.
    </p>
  </dd>

  <dt><code>--no-self-confinement</code></dt>
  <dd>
    By default this daemon will try to self-confine itself to work with files
    under well-known directories determined at build time.  It is better to
    stick with this default behavior and not to use this flag unless some other
    Access Control is used to confine daemon.  Note that in contrast to other
    access control implementations that are typically enforced from
    kernel-space (e.g. DAC or MAC), self-confinement is imposed from the
    user-space daemon itself and hence should not be considered as a full
    confinement strategy, but instead should be viewed as an additional layer
    of security.
  </dd>

  <dt><code>--user=</code><var>user</var><code>:</code><var>group</var></dt>
  <dd>
    <p>
      Causes this program to run as a different user specified in
      <var>user</var><code>:</code><var>group</var>, thus dropping most of the
      root privileges. Short forms <var>user</var> and
      <code>:</code><var>group</var> are also allowed, with current user or
      group assumed, respectively.  Only daemons started by the root user
      accepts this argument.
    </p>

    <p>
      On Linux, daemons will be granted <code>CAP_IPC_LOCK</code> and
      <code>CAP_NET_BIND_SERVICES</code> before dropping root privileges.
      Daemons that interact with a datapath, such as
      <code>ovs-vswitchd</code>, will be granted three additional
      capabilities, namely <code>CAP_NET_ADMIN</code>,
      <code>CAP_NET_BROADCAST</code> and <code>CAP_NET_RAW</code>.  The
      capability change will apply even if the new user is root.
    </p>

    <p>
      On Windows, this option is not currently supported.  For security
      reasons, specifying this option will cause the daemon process not to
      start.
    </p>
  </dd>
</dl>
Commit	Line	Data
4acd1e87 BP	1	<?xml version="1.0" encoding="utf-8"?>
	2	<dl>
	3	<dt><code>--pidfile</code>[<code>=</code><var>pidfile</var>]</dt>
	4	<dd>
	5	<p>
	6	Causes a file (by default, <code><var>program</var>.pid</code>) to be
	7	created indicating the PID of the running process. If the
	8	<var>pidfile</var> argument is not specified, or if it does not begin
	9	with <code>/</code>, then it is created in <code>@RUNDIR@</code>.
	10	</p>
	11
	12	<p>
	13	If <code>--pidfile</code> is not specified, no pidfile is created.
	14	</p>
	15	</dd>
	16
	17	<dt><code>--overwrite-pidfile</code></dt>
	18	<dd>
	19	<p>
	20	By default, when <code>--pidfile</code> is specified and the specified
	21	pidfile already exists and is locked by a running process, the daemon
	22	refuses to start. Specify <code>--overwrite-pidfile</code> to cause it
	23	to instead overwrite the pidfile.
	24	</p>
	25
	26	<p>
	27	When <code>--pidfile</code> is not specified, this option has no effect.
	28	</p>
	29	</dd>
	30
	31	<dt><code>--detach</code></dt>
	32	<dd>
	33	Runs this program as a background process. The process forks, and in the
	34	child it starts a new session, closes the standard file descriptors (which
	35	has the side effect of disabling logging to the console), and changes its
	36	current directory to the root (unless <code>--no-chdir</code> is
	37	specified). After the child completes its initialization, the parent
	38	exits.
	39	</dd>
	40
	41	<dt><code>--monitor</code></dt>
	42	<dd>
	43	<p>
	44	Creates an additional process to monitor this program. If it dies due to
	45	a signal that indicates a programming error (<code>SIGABRT</code>,
	46	<code>SIGALRM</code>, <code>SIGBUS</code>, <code>SIGFPE</code>,
	47	<code>SIGILL</code>, <code>SIGPIPE</code>, <code>SIGSEGV</code>,
	48	<code>SIGXCPU</code>, or <code>SIGXFSZ</code>) then the monitor process
	49	starts a new copy of it. If the daemon dies or exits for another reason,
	50	the monitor process exits.
	51	</p>
	52
	53	<p>
	54	This option is normally used with <code>--detach</code>, but it also
	55	functions without it.
	56	</p>
	57	</dd>
	58
	59	<dt><code>--no-chdir</code></dt>
	60	<dd>
	61	<p>
b4675b81	62	By default, when <code>--detach</code> is specified, the daemon changes
4acd1e87 BP	63	its current working directory to the root directory after it detaches.
	64	Otherwise, invoking the daemon from a carelessly chosen directory would
	65	prevent the administrator from unmounting the file system that holds that
	66	directory.
	67	</p>
	68
	69	<p>
	70	Specifying <code>--no-chdir</code> suppresses this behavior, preventing
	71	the daemon from changing its current working directory. This may be
	72	useful for collecting core files, since it is common behavior to write
	73	core dumps into the current working directory and the root directory is
	74	not a good directory to use.
	75	</p>
	76
	77	<p>
	78	This option has no effect when <code>--detach</code> is not specified.
	79	</p>
	80	</dd>
	81
	82	<dt><code>--no-self-confinement</code></dt>
	83	<dd>
	84	By default this daemon will try to self-confine itself to work with files
8205fbc8	85	under well-known directories determined at build time. It is better to
4acd1e87 BP	86	stick with this default behavior and not to use this flag unless some other
	87	Access Control is used to confine daemon. Note that in contrast to other
	88	access control implementations that are typically enforced from
	89	kernel-space (e.g. DAC or MAC), self-confinement is imposed from the
	90	user-space daemon itself and hence should not be considered as a full
	91	confinement strategy, but instead should be viewed as an additional layer
	92	of security.
	93	</dd>
	94
	95	<dt><code>--user=</code><var>user</var><code>:</code><var>group</var></dt>
	96	<dd>
	97	<p>
	98	Causes this program to run as a different user specified in
	99	<var>user</var><code>:</code><var>group</var>, thus dropping most of the
	100	root privileges. Short forms <var>user</var> and
	101	<code>:</code><var>group</var> are also allowed, with current user or
	102	group assumed, respectively. Only daemons started by the root user
	103	accepts this argument.
	104	</p>
	105
	106	<p>
	107	On Linux, daemons will be granted <code>CAP_IPC_LOCK</code> and
	108	<code>CAP_NET_BIND_SERVICES</code> before dropping root privileges.
1da17ab5	109	Daemons that interact with a datapath, such as
cf114a7f FL	110	<code>ovs-vswitchd</code>, will be granted three additional
	111	capabilities, namely <code>CAP_NET_ADMIN</code>,
	112	<code>CAP_NET_BROADCAST</code> and <code>CAP_NET_RAW</code>. The
	113	capability change will apply even if the new user is root.
4acd1e87 BP	114	</p>
	115
	116	<p>
	117	On Windows, this option is not currently supported. For security
	118	reasons, specifying this option will cause the daemon process not to
	119	start.
	120	</p>
	121	</dd>
	122	</dl>